Thursday, February 03, 2011

Proactive and Continuous Compliance? For Real?

At one of the first security conferences I ever attended (probably in 2001 or so), there was this vendor dude who would not stop rambling about continuous compliance. I listened to him and it suddenly dawned on me: what an awesome idea! Running a security-focused, ongoing, multi-regulation program that delivers value to both business units and reduces risk – what’s not to love here?

However, over the years I’ve gotten more cynical on this matter; we all know our beloved security industry does this to people Smile As I said in my infamous “Top PCI DSS Security Marketing Annoyances”, ““Ongoing compliance” theme is awesome. Sadly, a majority of your customers [I was addressing security vendors in that post – A.C.] don’t do it like this (to their own loss – this why it is sad). They still have assessment-time rush, pleasing the assessor approach and checklist-oh-we-are-DONE! mentality. If you want to sell continuous compliance, you need to educate them first!

Despite such sentiment, I still love the idea of continuous, proactive, cross-regulatory approach to compliance. A mere fact that most organizations don’t do it like this, should not discourage the education efforts to make this more common.

In fact, some recent research indicates that maybe – just maybe – the tide is turning and organizations will start revolting against the “annual assessment rush”, “audit mentality” and “audit done? see ya next year, security!” themes. Even if very weak, there are other indicators that the value of running an ongoing compliance program with technical control assessment automation is growing more popular and newer tools may make it more real. Verizon Breach 2010 report and Verizon PCI report also seem to indicate that compliance programs help security, while annual compliance audits only work to unearth negligence and incompetence. The drive to operationalize PCI DSS controls (example) and to stay compliant (example) also seems to be growing, at least among the larger merchants. One more example comes from the whole FISMA theater – NIST folks now are all about “continuous monitoring” for FISMA compliance (see this FAQ).

In light of this, maybe the times of continuous, [more] automated compliance are upon us? It so happens that I’d be doing a SANS webcast to explore this topic on February 11. Join the conversation as well as a fight for useful and continuous compliance in service of security.

Is continuous compliance a reality at your organization? Are you doing something 9, 6, 3 months before the annual PCI DSS assessment? Do you meet the auditor once a year? Or do you make an effort to stay compliant?

Dr Anton Chuvakin